Does your service organization need a System and Organization Controls (SOC) Report?

SOC COMPLIANCE

By Scott M. McAuliffe, CPA, CISA, CFE | Risk Advisory Services Partner

Part 1 of a 4 Part Series on SOC Reporting

It happens all too often, an anxious executive from a service organization calls us indicating that a prospective customer is requesting the service organization’s SOC report. The executive does a quick Google search and learns that a SOC report is an internal control report that is issued by a CPA firm. The executive wants to know how quickly they can get their report and how much it will cost.

Through these calls and countless meetings with service organizations, we have found there is a lot of education that needs to be provided to service organizations and their prospective customers. We regularly find that the type of report being requested is not appropriate given the type of service being provided. We also occasionally find that the type of service provided does not warrant a SOC report.

Determining whether you need a SOC 1 or SOC 2 report or both

For most service organizations, there are two reports that could meet the needs of its customers and the type of report depends on the nature of the service being provided.

SOC 1 Report

A SOC 1 report is appropriate for service organizations that process transactions that impact their customers’ financial statements or other customer facing financial reporting. Meaning, if the service organization processes a transaction incorrectly, it could cause their customer’s financial statements to be incorrect. For example, if a payroll service bureau incorrectly calculates their customer’s payroll for a week, their customer’s financial statement will not accurately reflect the actual payroll costs. Service organizations for whom a SOC 1 report could be appropriate include payroll service bureaus, third-party administrators, insurance or medical claims processors, and loan servicing companies to name a few.

SOC 2 Report

A SOC 2 report is provided to service organizations that provide a service where the main concern would be data security, system availability, system processing integrity, confidentiality, or privacy. Some service organizations for whom a SOC 2 report could appropriate include a SaaS provider, data center, healthcare services, and direct mailer. In each case, the service provided might not directly impact their customers’ financial statements; however, their customers could be concerned that their data is properly secured.

For a few “lucky” companies, such as a SaaS provider, both a SOC 1 and SOC 2 report could be appropriate based on the service/system provided.

Knowing this information, does your service organization need a SOC report? If so, do you need a SOC 1 or SOC 2 report or both? Is your prospective customer requesting the correct report or do you need to educate them?

Still having trouble making that determination? Keiter’s team of Risk Advisory Services professionals can help you. Email | Call: 804.747.0000

Additional SOC Resources:

• When to Choose a SOC 1 vs SOC 2 Report
• What are the SOC 2 Trust Services Criteria?
• SOC 2 Documents – What you need to provide your auditor
• The Hidden Costs of a SOC 2 and How to Avoid Them
• SOC 2 Challenges – Audit Evidence
• SOC 2 Challenges – Population Completeness